ITNews

Philip Zimmermann is applying encryption to VoIP (Voice over Internet Protocol) to prevent the Russian mafia, foreign governments, hackers, disgruntled former employees, and just about anyone from tapping your VoIP calls.

He invoked the wrath of the US Government a few years ago when releasing his source code to PGP (Pretty Good Privacy) and showed how to hook it up with email. This was at a time when The US Government regarded cryptographic software as a munition, and thus subject to arms trafficking export controls. Eventually the Government call off the dogs.

The Forbes posting How To Make Your Phone Untappable, is an interview with Philip Zimmermann.

In the posting, he discusses why he released Zfone software for secure voice communication over the Internet (VoIP), using the ZRTP protocol.

So you’ve created a protocol that not even thousands of NSA agents working for years could unscramble?

Well, they’re using computers, not people. In fact, they’re using supercomputers that attempt every possible key. But they wouldn’t be able to guess the key to decrypt a ZRTP-encrypted conversation.

In fact, they’re using the same kind of encryption for their own classified data. If they knew how to break it, they probably wouldn’t trust it enough to use it themselves.

…John

The iTnews posting Cyber-attack launched from 10,000 web pages says

A security firm has identified over 10,000 web pages rigged by cyber-criminals to hijack the PCs of unsuspecting surfers.

The web pages have been modified to silently redirect visitors to sites laden with malware that attempt to break into the user’s PC.

McAfee Avert Labs described the assault as “one of the largest attacks to date of this kind”.

There is some good news in the posting.

McAfee Avert Labs first spotted the attack on 12 March. “Of the 10,000 pages that were compromised a number have already been cleaned up,” the firm stated.

To quote the catch phrase from Hill Street Blues

“let’s be careful out there”

…John

The Codenomicon white paper Wireless Security: Past, Present and Future discusses the state and future of Bluetooth, Wi-Fi, and WiMAX security.

The results are not encouraging. Vulnerabilities were found in 90% of the tested devices.

Despite boasts of hardened security measures, security researchers and black-hat hackers keep humiliating vendors. Security assessment of software by source code auditing is expensive and laborious. There are only a few methods for security analysis without access to the source code, and they are usually limited in scope. This may be one reason why many major software vendors have been stuck randomly fixing vulnerabilities that have been found and providing countless patches to their clients to keep the systems protected.

I guess the moral of this tale is be aware of what you hook up with.

…John

The PC World posting Security Must Evolve, CERT Official Says is a short but interesting read.

Security has gotten a bad rap in today’s enterprises, according to Lisa R. Young, senior member of the technical staff at Carnegie Mellon University’s Computer Emergency Response Team.

Security has to evolve into something that supports business, rather than the other way around, said Young, in Stockholm to speak at the European Computer Audit, Control and Security Conference.

The tendency is to want to start locking things down, so security is something that disables, not enables, business, according to Young.

I agree with Ms. Young. Maybe the Resiliency Engineering Framework created by her development team will help.

…John

The key findings of the 2008 Annual Google Communications Intelligence Report aren’t very encouraging.

Trend #1: As the number of electronic messages increased in 2007, spam continued to be the biggest issue for most organizations

(Credit: Google)

Trend #2: Executives look to IT personnel − rather than end-users − to ensure security and compliance

(Credit: Google)

Trend #3: IT professionals face serious challenges in reaching security and
compliance goals

(Credit: Google)

Trend #4: Ensuring communications security and compliance is a significant productivity drain on IT resources

(Credit: Google)

Trend #5: Organizations felt they spent too much time and money on their current communications security and compliance solution and had several key requirements on their wish list for a solution that overcomes these financial and productivity drains

(Credit: Google)

Trend #6: SaaS models are gaining in popularity − and market share − because they directly address key IT productivity pains

(Credit: Google)

(Credit: Google)

Conclusion

The continued growth in electronic messaging − and the accompanying surge in spam − is a consistent and increasingly painful thorn in the side of IT professionals.
In most organizations, it is the IT department that is held accountable for ensuring the security and compliance of their electronic communications, but the obstacles to success are significant.

IT professionals today are not only facing the threat of spam, viruses, and worms, but they are also attempting to secure their increasingly mobile workforces, ensuring the availability and continuity of critical business processes, meeting compliance goals, planning for disaster recovery, preventing data leakage, and protecting their internal systems from hackers. It’s no wonder IT professionals are feeling the pain most acutely in their productivity levels.

SaaS solutions in general, and Google’s message security and compliance services in specific, address these IT productivity issues and help organizations tame the threats that lurk in electronic messaging. By deploying Google’s services, organizations can reduce the pains of ensuring security and compliance − and improve the productivity of their IT professionals.

Thank you Google for this sobering information.

Please read this most interesting report for much more detail.

…John